No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

eSight V300R009C00 Operation Guide 09

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
How Do I Configure the TLS Protocol Version Used by eSight

How Do I Configure the TLS Protocol Version Used by eSight

By default, TLSv1.1 and TLSv1.2 can be used to access eSight clients. You can configure the TLS protocol versions used by eSight as required. TLSv1 is an insecure protocol and is disabled by default. The use of TLSv1 has certain security risks. You are advised to use TLSv1.1 and TLSv1.2, which are more secure.

Context

eSight has six configuration files related to the TLS protocol, including:

  • certificate.conf
  • roa.inst.xml
  • sso.xml
  • med_node_1_svc.xml
  • ros.xml
  • Mediation_1_svc.xml

Follow the instructions to modify the configuration file if you need to configure the TLS protocol version used by eSight.

Procedure

  1. Stop eSight.
  2. Modify the configuration items in the configuration files listed in the following table.

    NOTE:

    For the Linux OS, modify the configuration items as ossuser. For the Windows OS, any user can modify the configuration items. If a two-node cluster is deployed, you need to modify the configuration items in the configuration files on both the active and standby nodes.

    • The following table lists the configuration items to be modified if you want to enable TLSv1.

      Configuration File

      Configuration Item

      How to Set

      eSight installation directory/AppBase/sysagent/etc/sysconf/svcbase/med_node_1_svc.xml

      ssl.protocol

      The default value is TLSv1.1,TLSv1.2. Change it to TLSv1,TLSv1.1,TLSv1.2.

    • The following table lists the configuration items to be modified if you want to disable TLSv1.1 and enable TLSv1.2.

      Configuration File

      Configuration Item

      How to Set

      eSight installation directory/AppBase/3rdparty/nginx/conf/certificate.conf

      ssl_protocols

      The default value is TLSv1.1 TLSv1.2. Change it to TLSv1.2.

      eSight installation directory/mttools/etc/iemp.framework/roa.inst.xml

      ssl.protocol

      The default value is SSLv2Hello;TLSv1.1; TLSv1.2. Change it to SSLv2Hello;TLSv1.2.

      NOTE:
      • SSLv2Hello has security risks and is not recommended.
      • If this configuration item is set to TLSv1.2, JRE1.8 or a later version is required because JRE1.7 does not support some algorithms.

      eSight installation directory/AppBase/etc/oms.sso/sso.xml

      sslProtocols

      The default value is TLSv1.1,TLSv1.2. Change it to SSLv2Hello,TLSv1.2.

      NOTE:
      • SSLv2Hello has security risks and is not recommended.
      • If this configuration item is set to TLSv1.2, JRE1.8 or a later version is required because JRE1.7 does not support some algorithms.

      eSight installation directory/AppBase/sysagent/etc/sysconf/svcbase/med_node_1_svc.xml

      ssl.protocol

      The default value is TLSv1.1,TLSv1.2. Change it to TLSv1.2.

      eSight installation directory/AppBase/etc/oms.ros/ros.xml

      ssl.protocol

      The value is left empty by default. Change it to TLSv1.2.

      NOTE:

      If the configuration file does not contain this configuration item, the default value is used. To change the configuration, first manually add this configuration item. Figure 4-4 shows the configuration item that is added.

      eSight installation directory/AppBase/sysagent/etc/sysconf/svcbase/Mediation_1_svc.xml

      sslProtocols

      The default value is TLSv1.1, TLSv1.2. Change it to TLSv1.2.

    Figure 4-4 Manually Add Configuration Item

  3. Restart eSight.

Follow-up Procedure

After changing the TLS protocol version used by eSight, enable the TLS protocol on the client browser. By default, the TLS protocol is enabled for Firefox and Google Chrome. For Internet Explorer, perform the following operations:

  1. Open the client browser.
  2. On the menu bar, click Internet Options.
    NOTE:

    If the menu bar is not displayed, press Alt.

  3. On the Advanced tab of the Internet Options dialog box, select the protocol you want to use, and click OK.
    • If eSight only uses TLSv1.2, select Use TLS 1.2.
    • If eSight uses TLSv1.1 and TLSv1.2, select Use TLS 1.1 and Use TLS 1.2.

Download
Updated: 2019-05-17

Document ID: EDOC1100011877

Views: 286661

Downloads: 550

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next